◈ ⌘ api · Intermediate
Coinbase API Secret: Complete Setup Guide for Traders
Master Coinbase API key and secret setup, avoid common pitfalls like secret not showing, and connect your trading bots securely in minutes.
◈ Contents
Your Coinbase API secret is shown exactly once — the moment you create it. Miss that window and you're generating a new one. This catches traders off guard constantly, especially those migrating from platforms like Binance or Bybit where key management works differently. Understanding the full lifecycle of a Coinbase API key, from creation to authentication to troubleshooting, saves you from hours of frustration and potential security gaps.
How Coinbase API Keys Actually Work
Coinbase issues three components when you create an API key: the key itself (a public identifier), the secret (a private signing string), and optionally a passphrase (an extra layer you define). Unlike OKX or KuCoin where you can sometimes recover credentials through 2FA, Coinbase treats the secret as a one-time disclosure. Once the creation screen is gone, the secret is gone from their UI permanently.
The coinbase api key text you see during creation is your API key — a long alphanumeric string used to identify your requests. The secret is a separate, longer string used to sign those requests cryptographically. These two travel together but serve different functions: the key says who you are, the secret proves it.
- API Key: public identifier sent with every request
- API Secret: private string used to generate request signatures — never sent directly
- Passphrase: optional user-defined string, required if set during creation
- Permissions: read-only, trade, transfer — set at creation time, not editable later
Security rule: never store your coinbase api secret in source code or commit it to GitHub. Use environment variables or a secrets manager. A leaked secret with trade permissions gives full account access to whoever finds it.
Creating Your API Key on Coinbase
The process differs slightly between Coinbase Exchange (institutional) and Coinbase Advanced Trade. On Coinbase Advanced Trade, navigate to Settings → API → New API Key. On the legacy Coinbase Pro interface, it's under your profile menu. The coinbase api key mobile app path is limited — you can view existing keys but creating new ones is best done on desktop where you can safely copy the full secret.
When you hit Create, a modal appears with both your key and secret. This is the only moment the coinbase api secret is visible in plaintext. Copy it immediately to a password manager like 1Password or Bitwarden. The coinbase api secret not showing issue that frustrates traders on Reddit isn't a bug — it's by design. If you closed that modal, the secret is permanently inaccessible and you must revoke the key and generate a new one.
- Step 1: Go to Coinbase Advanced Trade → Settings → API
- Step 2: Click 'New API Key' and select permissions (View, Trade, Transfer)
- Step 3: Add your IP to the allowlist if running a dedicated server
- Step 4: Complete 2FA verification
- Step 5: Copy BOTH the key and secret before closing the modal
- Step 6: Store in environment variables, never in code
Coinbase API Secret Format and Authentication
The coinbase api secret format is a base64-encoded string, typically 88 characters long ending in '=='. When authenticating requests, you use HMAC-SHA256 to sign a message composed of the timestamp, HTTP method, request path, and body. This signature, combined with your key and timestamp, authenticates every request.
Here's a complete Python authentication setup you can drop into any trading script. This covers the signing logic that most coinbase api key not working issues trace back to — incorrect message formatting or timestamp drift.
import hmac
import hashlib
import time
import base64
import requests
import os
API_KEY = os.environ.get('COINBASE_API_KEY')
API_SECRET = os.environ.get('COINBASE_API_SECRET')
API_PASSPHRASE = os.environ.get('COINBASE_API_PASSPHRASE', '')
BASE_URL = 'https://api.exchange.coinbase.com'
def get_auth_headers(method: str, path: str, body: str = '') -> dict:
timestamp = str(time.time())
message = timestamp + method.upper() + path + body
secret_bytes = base64.b64decode(API_SECRET)
signature = hmac.new(secret_bytes, message.encode('utf-8'), hashlib.sha256)
signature_b64 = base64.b64encode(signature.digest()).decode('utf-8')
return {
'CB-ACCESS-KEY': API_KEY,
'CB-ACCESS-SIGN': signature_b64,
'CB-ACCESS-TIMESTAMP': timestamp,
'CB-ACCESS-PASSPHRASE': API_PASSPHRASE,
'Content-Type': 'application/json'
}
def get_accounts():
path = '/accounts'
headers = get_auth_headers('GET', path)
response = requests.get(BASE_URL + path, headers=headers)
response.raise_for_status()
return response.json()
try:
accounts = get_accounts()
for account in accounts:
if float(account['balance']) > 0:
print(f"{account['currency']}: {account['balance']}")
except requests.exceptions.HTTPError as e:
print(f'Auth failed: {e.response.status_code} - {e.response.text}')
except Exception as e:
print(f'Error: {e}')The coinbase api key passphrase is only required if you set one during key creation. If you didn't set a passphrase, send an empty string — don't omit the header entirely or you'll get a 400 error. This trips up traders coming from Binance or Bybit where passphrases aren't part of the auth flow.
Placing Orders and Parsing Responses
Once authentication is working, placing orders follows a straightforward JSON request pattern. Here's a working example for a market buy order with full error handling — the kind of code you'd use when connecting a signal from VoiceOfChain's real-time alerts directly to your Coinbase account.
import json
def place_market_order(product_id: str, side: str, size: str) -> dict:
"""
Place a market order on Coinbase Exchange.
product_id: e.g. 'BTC-USD'
side: 'buy' or 'sell'
size: amount in base currency (e.g. '0.001' for BTC)
"""
path = '/orders'
body_data = {
'type': 'market',
'side': side,
'product_id': product_id,
'size': size
}
body = json.dumps(body_data)
headers = get_auth_headers('POST', path, body)
response = requests.post(BASE_URL + path, headers=headers, data=body)
if response.status_code == 200:
order = response.json()
print(f"Order placed: {order['id']}")
print(f"Status: {order['status']}")
print(f"Filled size: {order.get('filled_size', '0')}")
return order
elif response.status_code == 401:
raise Exception('Authentication failed — check API key and secret')
elif response.status_code == 403:
raise Exception('Insufficient permissions — enable Trade on this API key')
elif response.status_code == 400:
error = response.json()
raise Exception(f"Bad request: {error.get('message', 'unknown error')}")
else:
response.raise_for_status()
# Example: buy 0.001 BTC at market price
try:
order = place_market_order('BTC-USD', 'buy', '0.001')
except Exception as e:
print(f'Order failed: {e}')Troubleshooting Common API Key Issues
The coinbase api key not working errors break down into a few consistent patterns. Most stem from authentication misconfiguration rather than permissions issues. Here's how to diagnose each one systematically.
| Error | Likely Cause | Fix |
|---|---|---|
| 401 Unauthorized | Wrong secret or incorrect signing | Verify secret format, check HMAC message construction |
| 400 Invalid passphrase | Passphrase mismatch | Use empty string if no passphrase was set |
| 403 Forbidden | Missing permissions | Regenerate key with Trade permissions enabled |
| Timestamp expired | Clock drift > 30 seconds | Sync system clock via NTP |
| Connection refused | IP not whitelisted | Add your server IP to the key's allowlist |
The timestamp issue deserves special mention. Coinbase rejects requests where the timestamp is more than 30 seconds off server time. On cloud servers this rarely matters, but on local machines or Raspberry Pi bots, clock drift is a real problem. Run 'sudo ntpdate -s time.nist.gov' on Linux or check Date & Time settings on Mac to resync.
Traders migrating from platforms like Gate.io or Bitget sometimes get tripped up by the coinbase api secret format — those platforms use different encoding schemes. Coinbase secrets are base64-encoded, so you must decode them before using in the HMAC function. The code above handles this correctly with base64.b64decode().
const crypto = require('crypto');
const https = require('https');
const API_KEY = process.env.COINBASE_API_KEY;
const API_SECRET = process.env.COINBASE_API_SECRET;
const API_PASSPHRASE = process.env.COINBASE_API_PASSPHRASE || '';
function getAuthHeaders(method, path, body = '') {
const timestamp = Date.now() / 1000;
const message = timestamp + method.toUpperCase() + path + body;
const secret = Buffer.from(API_SECRET, 'base64');
const signature = crypto
.createHmac('sha256', secret)
.update(message)
.digest('base64');
return {
'CB-ACCESS-KEY': API_KEY,
'CB-ACCESS-SIGN': signature,
'CB-ACCESS-TIMESTAMP': timestamp.toString(),
'CB-ACCESS-PASSPHRASE': API_PASSPHRASE,
'Content-Type': 'application/json'
};
}
async function getTicker(productId) {
const path = `/products/${productId}/ticker`;
const headers = getAuthHeaders('GET', path);
const response = await fetch(`https://api.exchange.coinbase.com${path}`, {
headers
});
if (!response.ok) {
const err = await response.json();
throw new Error(`${response.status}: ${err.message}`);
}
return response.json();
}
getTicker('BTC-USD')
.then(data => console.log(`BTC Price: $${data.price}`))
.catch(err => console.error('Failed:', err.message));Frequently Asked Questions
Why is my Coinbase API secret not showing after creation?
Coinbase displays the secret only once, at the moment of creation. If you closed the modal without copying it, the secret is gone permanently — you need to delete the key and create a new one. Always save it to a password manager immediately during creation.
What is the correct Coinbase API secret format?
The Coinbase API secret is a base64-encoded string, typically 88 characters ending in '=='. When using it in HMAC-SHA256 signing, you must first decode it from base64 before passing it as the key. Treating it as a plain string is the most common cause of 401 errors.
Do I need a passphrase for my Coinbase API key?
Only if you set one during key creation. If you didn't configure a passphrase, send an empty string in the CB-ACCESS-PASSPHRASE header — don't omit the header. If you did set one and forgot it, you'll need to regenerate the key since passphrases can't be recovered.
Can I create a Coinbase API key on the mobile app?
The Coinbase mobile app lets you view existing API keys but the full creation workflow — where you can set permissions, IP restrictions, and copy the secret — is available on the desktop web interface. Use desktop for initial setup to avoid missing the secret disclosure window.
Why does my Coinbase API key work for reading but not trading?
Trading requires explicit Trade permission enabled at key creation. Read-only keys return 403 Forbidden on order endpoints. Since permissions can't be edited after creation, you'll need to create a new key with Trade permissions checked. Verify the permissions listed in your Coinbase API settings match what your bot requires.
Is it safe to use Coinbase API with third-party trading bots?
It's safe if you follow key hygiene: enable only the permissions your bot needs (avoid Transfer unless necessary), whitelist your bot's IP address, and never give the key to platforms you don't trust. Platforms like VoiceOfChain that provide trading signals let you keep full control — you execute trades yourself rather than handing over credentials.
Conclusion
The Coinbase API secret workflow is stricter than most exchanges — that one-time disclosure model is a deliberate security choice, not an oversight. Once you internalize that and build your setup around it (password manager, env vars, IP allowlisting), Coinbase's API is reliable and well-documented. The authentication pattern shown here works for everything from simple balance checks to automated trading systems that act on real-time signals from platforms like VoiceOfChain. Get the signing logic right once, wrap it in proper error handling, and you have a solid foundation for any trading automation you want to build on top.